Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Page 1 of 2 1 2 LastLast
Results 1 to 10 of 14
  1. #1
    Junior Member
    Join Date
    Jan 2007
    Posts
    13
    Member #
    14670
    I used to run a simple premade php-nuke website, but someone hacked it. Now, I am more advanced and have learned how to code some php. However, I am sure if I tried to make a database and run a website off of it, it would surely get hacked. Can anyone tell me first how someone hacks websites, and how to protect your own from it. Sorry there are so many loaded questions, but help is appreciated.

  2.  

  3. #2
    Senior Member Steax's Avatar
    Join Date
    Dec 2006
    Location
    Bandung, Indonesia
    Posts
    1,207
    Member #
    14572
    Ok, let me do a bit of a lecture.

    People like to hack databases from its queries. For most SQL-based languages, they make special queries. Like in a login username field, they do a
    Code:
    ' OR 1=1; DROP TABEL `users`;
    This is a common method to blow away your security measures. When it goes into your common query, it becomes
    Code:
    SELECT * FROM `users` WHERE `username` = '' OR 1=1; DROP TABEL `users`;'
    As you can see, it bypasses the first query (by including an OR operator that clearly validates to true) and then does the second query, a table drop. So that can do major damage.

    But see the problem with that method? They have to know the names of your tables etc. Thus, why handmade programs are less likely to be penetrated by crackers.

    There's a second, sometimes easier to penetrate. This involves trust.

    PHP Code:
    $ucheck $_POST['userlevel'];
    $acheck $_POST['accesstyle'];
    if(
    $ucheck && $acheck){
       
    $ok true;
    }
    if(
    $true){
       
    // Do special stuff here

    Now, it's very dangerous that $ok variable is set by a user, but I've never seen this one in action, so I'll skip that first. The problem is that this script trusts the user's information too much. Users CAN modify post,or get variables (the latter being the easiest). It's really easy. They can easily set both of those POST variables to true.

    And can someone tell me if a user can also modify session variables?
    Note on code: If I give code, please note that it is simply sample code to demonstrate an effect. It is not meant to be used as-is; that is the programmer's job. I am not responsible to give you support or be held liable for anything that happens when using my code.

  4. #3
    Junior Member EngAdven's Avatar
    Join Date
    Oct 2006
    Location
    Devon, UK
    Posts
    26
    Member #
    14224
    One easy way to avoid hacking is to use DB to HTML technology. This parses the data into lots of static html pages so they cannot be hacked.
    It can't be used if you need to let other people update the content as it works from a PC, however, the growing number of blog/wiki apps might be able to help as these can be similar to server side version.

  5. #4
    Senior Member
    Join Date
    Jun 2005
    Location
    Atlanta, GA
    Posts
    4,146
    Member #
    10263
    Liked
    1 times
    The session thing is a little more complicated. If you set a cookie somewhere with a specific username/password combo, then someone might be able to nab the cookie *if* they have access to the computer. If you set a cookie with a session id associated specifically with that computer's IP, then physical access becomes necessary to use it. But sometimes the outwards-facing IP can be shared between some computers, so there you'd need physical access to *one of* those computers.

    Session ids passed around on the URI line are susceptible to the same problems. Basically, the argument is that you should *never* trust your users -- always assume they're going to put malicious content into your site, and act accordingly (escape incoming data, etc).

    Slightly more draconian is the approach of also logging user activity so you know who `hacked' your system, so that you can ban them. If you ban them and someone hacked their account, they'll probably complain, and you can tell them to open a new account with a safer password.

    Etc. :-)

  6. #5
    Senior Member Steax's Avatar
    Join Date
    Dec 2006
    Location
    Bandung, Indonesia
    Posts
    1,207
    Member #
    14572
    I'm just kinda scared. Can users do direct sets to the session info on a certain site? Like can a user set $_SESSION['admin'] = true?
    Note on code: If I give code, please note that it is simply sample code to demonstrate an effect. It is not meant to be used as-is; that is the programmer's job. I am not responsible to give you support or be held liable for anything that happens when using my code.

  7. #6
    Senior Member
    Join Date
    Jun 2005
    Location
    Atlanta, GA
    Posts
    4,146
    Member #
    10263
    Liked
    1 times
    Usually not, but it depends on the design of your site. If your site runs a page that sets $_SESSION['admin'] to a variable passed in POST or GET variables, there is the possibility that they could set it.

    There are entire books about this, I should mention ;-)

  8. #7
    Senior Member
    Join Date
    May 2003
    Location
    UK
    Posts
    2,354
    Member #
    1326
    If you take that route, setting a session variable to a user submitted variable, why not just check the user submitted variable, if it is "some value" then set the session variable to whatever you wish.

  9. #8
    Senior Member Steax's Avatar
    Join Date
    Dec 2006
    Location
    Bandung, Indonesia
    Posts
    1,207
    Member #
    14572
    And I happen to live in a country where a copy-paste of the 3dsmax tutorial manual is enough to qualify as a best-seller book in the best bookstores. So that's a dead-end for me. Until I go to Perth.

    Isn't session data contained in cookies? Is it on the users' computer? I just want to make sure that if I keep data in a session, it's safe from modifications..
    Note on code: If I give code, please note that it is simply sample code to demonstrate an effect. It is not meant to be used as-is; that is the programmer's job. I am not responsible to give you support or be held liable for anything that happens when using my code.

  10. #9
    Senior Member
    Join Date
    Jun 2005
    Location
    Atlanta, GA
    Posts
    4,146
    Member #
    10263
    Liked
    1 times
    Session data itself is typically stored on the server, with a session id in a cookie on the browser that can be used to identify the session on the server and retrieve the associated data there.

    This is typically. You can, of course, opt to set cookies, instead :-)

  11. #10
    Senior Member Steax's Avatar
    Join Date
    Dec 2006
    Location
    Bandung, Indonesia
    Posts
    1,207
    Member #
    14572
    And, er, how do we set it to cookies? It would be a great security measure if I realized that all my sessions were set to cookies.

    However, why does my Firefox Web Developer Toolbar have a "clear session cookies" button? And in a version of script I'm using, I can't unregister session variables, and only by pressing this button, I can remove them. Could this be because the data is set in cookies? PS, thats on my local machine.
    Note on code: If I give code, please note that it is simply sample code to demonstrate an effect. It is not meant to be used as-is; that is the programmer's job. I am not responsible to give you support or be held liable for anything that happens when using my code.


Page 1 of 2 1 2 LastLast

Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 11:50 AM.
Powered by vBulletin® Version 4.2.3
Copyright © 2020 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com